RAM users created under an Alibaba Cloud account have no permissions by default. To let a RAM user manage Elastic Container Instance (ECI) resources, attach a permission policy to the user.
Prerequisites
Before you begin, ensure that you have:
A RAM user. See Create a RAM user
Available policies
Two system policies cover ECI resources. Use the table below to choose the right one.
| Policy | Access level | Included permissions |
|---|---|---|
| AliyunECIReadOnlyAccess | Read-only | eci:Describe*, eci:List* — query ECI resourcesecs:DescribeSecurityGroups — query security groupsvpc:DescribeVSwitches — query vSwitchesvpc:DescribeVpcs — query virtual private clouds (VPCs) |
| AliyunECIFullAccess | Full management | eci:* — all ECI operationsecs:DescribeSecurityGroups — query security groupsvpc:DescribeVSwitches — query vSwitchesvpc:DescribeVpcs — query VPCsvpc:DescribeEipAddresses — query Elastic IP Addresses (EIPs) |
If the RAM user needs to work in the ECI console, attach AliyunECIFullAccess plus a custom policy that grants the following additional permissions:
| Action | Purpose |
|---|---|
ram:ListRoles | Query RAM roles of instances |
nas:DescribeFileSystems | Query NAS (network-attached storage) file systems |
oss:ListBuckets | Query Object Storage Service (OSS) buckets |
vpc:DescribeCommonBandwidthPackages | Query EIP bandwidth plans |
cr:GetRepoList, cr:GetRepoTags, cr:GetImageManifest, cr:SearchRepo | Query and search image repositories |
Grant permissions
Step 1: Create the custom policy (console access only)
Skip this step if the RAM user only needs API access.
Log on to the RAM console with your Alibaba Cloud account.
In the left navigation pane, choose Permissions > Policies.
Click Create Policy.
Click the JSON tab, paste the following policy, and click OK.
{ "Statement": [ { "Action": "ram:ListRoles", "Effect": "Allow", "Resource": "*" }, { "Action": "nas:DescribeFileSystems", "Effect": "Allow", "Resource": "*" }, { "Action": "oss:ListBuckets", "Effect": "Allow", "Resource": "*" }, { "Action": "vpc:DescribeCommonBandwidthPackages", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cr:GetRepoList", "cr:GetRepoTags", "cr:GetImageManifest", "cr:SearchRepo" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }Enter a name in the Name field and click OK.
Step 2: Attach policies to the RAM user
In the left navigation pane, choose Identities > Users.
Find the RAM user and click Add Permissions in the Actions column.
Configure the following parameters.
Parameter Description Resource Scope Account: permissions apply to the current Alibaba Cloud account.
ResourceGroup: permissions apply to a specific resource group.Principal The RAM user to grant permissions to. Pre-populated based on your selection; you can change it. Policy Select based on the access level needed:
- View ECI resources only → AliyunECIReadOnlyAccess
- Manage ECI resources via API → AliyunECIFullAccess
- Manage ECI resources via the ECI console → AliyunECIFullAccess + the custom policy from Step 1Click Grant permissions and follow the on-screen instructions.
What's next
To manage ECI permissions at a finer granularity, use resource groups or labels to control what individual RAM users can access: